b'DECEMBER 5, 2011\n  AUDIT REPORT\n\n\n\n\n                                                      OFFICE OF AUDITS\n\n\n\n\n     NASA FACES SIGNIFICANT CHALLENGES IN\n   TRANSITIONING TO A CONTINUOUS MONITORING\n               APPROACH FOR ITS\n       INFORMATION TECHNOLOGY SYSTEMS\n\n\n\n\n                                           OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                                      National Aeronautics and\n                                                          Space Administration\n\n\n\n\n  REPORT NO. IG-12-006 (ASSIGNMENT NO. A-11-003-00)\n\x0cFinal report released by:\n\n\n\n\nPaul K. Martin\nInspector General\n\n\n\n\nAcronyms\n\nASCS            Agency Security Configuration Standards\nAVAR            Agency Vulnerability Assessment and Remediation\nC&A             Certification and Accreditation\nCAT             Configuration Assessment Tool\nCIO             Chief Information Officer\nCIS             Center for Internet Security\nCISO            Chief Information Security Officer\nFDCC            Federal Desktop Core Configuration\nFIPS            Federal Information Processing Standards\nFISMA           Federal Information Security Management Act\nFY              Fiscal Year\nIT              Information Technology\nITSEC-EDW       Information Technology Security \xe2\x80\x93 Enterprise Data Warehouse\nNIST            National Institute of Standards and Technology\nNITR            NASA Information Technology Requirement\nNPR             NASA Procedural Requirements\nOCIO            Office of the Chief Information Officer\nOMB             Office of Management and Budget\nSP              Special Publication\nUS-CERT         United States Computer Emergency Readiness Team\nUSGCB           United States Government Configuration Baseline\n\n\n                                                                  REPORT NO. IG-12-006\n\x0cDECEMBER 5, 2011\n\n\n\n\n                                                                                       OVERVIEW\n\n      NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING\n        TO A CONTINUOUS MONITORING APPROACH FOR ITS\n              INFORMATION TECHNOLOGY SYSTEMS\n\n                                                                                         The Issue\n\n  Cyber-based threats to NASA\xe2\x80\x99s information technology (IT) systems come from a variety\n  of sources, including foreign nations, criminals, terrorists, and disgruntled employees.\n  Combating these threats requires a dynamic security process that effectively and timely\n  identifies and mitigates vulnerabilities in NASA\xe2\x80\x99s IT system components.\n\n  The Federal Information Security Management Act of 2002 (FISMA) requires NASA\n  and other Federal agencies to annually report the security posture of their information\n  systems. 1 Prior to May 2010, NASA assessed the security posture of its systems using a\n  \xe2\x80\x9csnapshot\xe2\x80\x9d certification and accreditation (C&A) process in which the Agency assessed\n  security on a periodic schedule and at a fixed point in time. Under this approach, NASA\n  required system owners to reauthorize their systems on a 3-year cycle and placed little\n  emphasis on the use of automation to continuously monitor critical IT controls.\n\n  In April 2010, the Office of Management and Budget (OMB) issued new guidance on\n  FISMA reporting requirements that emphasized continuous monitoring to provide\n  ongoing, near real-time risk management and operational security for IT systems. In\n  May 2010, NASA\xe2\x80\x99s Office of the Chief Information Officer (OCIO) suspended the C&A\n  process it had been using for reviewing operational IT systems in favor of what it called\n  \xe2\x80\x9ca more streamlined system security authorization process with a focus on continuous\n  monitoring, automated tools, and significant paperwork reduction.\xe2\x80\x9d 2 In a May 2010\n  interview with Federal Computer Week, NASA\xe2\x80\x99s Deputy Chief Information\n  Officer (CIO) for Information Technology Security said that C&A \xe2\x80\x9cwill still be done, but\n  the way we do it is going to change significantly and the frequency of it will change.\n  Instead of every 3 years . . . you\xe2\x80\x99re always going to be looking at those controls and\n  adjusting them for changes.\xe2\x80\x9d 3\n\n\n\n  1\n      See Appendix B for the glossary of terms used in this report.\n  2\n      NASA OCIO memorandum, \xe2\x80\x9cSuspension of Certification and Accreditation Activity,\xe2\x80\x9d May 18, 2010\n      (see Appendix C).\n  3\n      Ben Bain, \xe2\x80\x9cA NASA deputy CIO explains NASA\xe2\x80\x99s new policy for certifying its systems as secure,\xe2\x80\x9d\n      Federal Computer News, May 24, 2010.\n\n\n\nREPORT NO. IG-12-006\n\x0c                                                                                                     OVERVIEW\n\n\n\n     As part of the transition to a continuous monitoring program, NASA has undertaken the\n     following initiatives:\n\n           \xe2\x80\xa2   Developed the IT Security \xe2\x80\x93 Enterprise Data Warehouse (ITSEC-EDW), an\n               inventory of NASA IT components and related security information.\n\n           \xe2\x80\xa2   Formed the Agency Vulnerability Assessment and Remediation (AVAR) team,\n               which is responsible for the Agency\xe2\x80\x99s vulnerability management project and for\n               Foundstone Enterprise, the Agency\xe2\x80\x99s automated network vulnerability scanning\n               tool, as well as for communication between Foundstone Enterprise and\n               ITSEC-EDW. 4\n\n           \xe2\x80\xa2   Instituted the Agency Security Configuration Standards (ASCS) project to\n               provide assessments, recommendations, processes, and procedures to assist\n               NASA in meeting system security configuration requirements.\n\n     This audit reviewed NASA practices to determine whether the Agency was establishing a\n     solid foundation to implement a continuous monitoring program. Specifically, we\n     focused on NASA\xe2\x80\x99s progress in three key elements: record of IT components,\n     configuration management, and vulnerability monitoring.\n\n     Results\n\n     Although NASA has made progress in transitioning to a continuous monitoring program,\n     the Agency needs to take significant steps to ensure the successful implementation of its\n     program. Specifically, NASA needs to (1) create and maintain a complete, up-to-date\n     record of IT components connected to Agency networks; (2) define the security\n     configuration baselines that are required for its system components and develop an\n     effective means of assessing compliance with those baselines; and (3) use best practices\n     for vulnerability management on all its IT systems. Failure to make improvements in\n     each of these areas will limit NASA\xe2\x80\x99s ability to accurately assess the security of its IT\n     systems.\n\n     Agency Continuous Monitoring and Reporting System Data Are Incomplete. We\n     found that to ensure successful implementation of continuous monitoring, NASA needs\n     to significantly improve its procedures for recording IT components in ITSEC-EDW, the\n     database it uses to track and report its security posture. NASA\xe2\x80\x99s goal is to monitor\n     100 percent of its systems and connected components. The first step toward that goal is\n     compiling a complete and up-to-date inventory that provides IT security personnel with a\n     real-time awareness of all components connected to their systems that need protection.\n\n\n     4\n         Foundstone Enterprise is the commercial off-the-shelf enterprise software solution used when scanning\n         NASA\xe2\x80\x99s networks and systems for vulnerabilities. (McAfee, the manufacturer of Foundstone Enterprise,\n         recently changed the name of the product to Vulnerability Manager.)\n\n\n\nii                                                                                     REPORT NO. IG-12-006\n\x0cOVERVIEW\n\n\n\n  NASA established ITSEC-EDW in response to a recommendation we made in a\n  September 2010 audit. 5 As mentioned above, ITSEC-EDW is intended to serve as an\n  automated data warehouse providing an inventory of NASA IT components and related\n  security information. However, we found that the majority of components we reviewed\n  were not included in ITSEC-EDW and that the information concerning the remaining\n  components in the sample was incomplete. Specifically, we judgmentally selected a\n  sample of 289 components connected to NASA systems and found that 175 of these\n  components (61 percent) were not included in the database and that patch agent or\n  vulnerability data was missing for 93 others (32 percent). Moreover, ITSEC-EDW\n  included both patch agent and vulnerability data for only 21 of the 289 component\n  (7 percent) we tested. Failure to maintain a complete and up-to-date inventory of\n  components in ITSEC-EDW will significantly diminish the effectiveness of NASA\xe2\x80\x99s\n  continuous monitoring program.\n\n  Security Configuration Baselines Are Not Available and Continuously Monitored on\n  Many IT Components. NASA\xe2\x80\x99s IT components require secure configurations to protect\n  them from internal and external threats. A security configuration baseline is a collection\n  of security settings for components such as file servers, web servers, application servers,\n  and clients that provides a compliance benchmark for how an organization\xe2\x80\x99s computer\n  systems are to be configured. Where there are no generally accepted baseline settings for\n  a particular system, Agencies must either adopt other measures, such as Center for\n  Internet Security (CIS) benchmarks, or develop their own security configuration\n  baselines.\n\n  For its Windows desktop operating systems, Microsoft Windows XP and Vista, NASA\n  uses Federal Desktop Core Configuration (FDCC) baseline settings. NASA has\n  automated means for tracking compliance with FDCC settings and reports compliance\n  with these settings to OMB. For components such as Unix/Linux and Windows server\n  components that have no FDCC baselines, NASA has adopted CIS benchmarks. NASA\n  does not have automated means for tracking compliance with CIS benchmarks. Our\n  review focused on NASA systems that use CIS benchmarks.\n\n  We found that the implementation of CIS benchmarks varies widely from one system to\n  the next across the Agency and that no processes are in place to measure and monitor\n  benchmark compliance. Without an effective monitoring and measurement capability,\n  system owners and NASA management have limited means for determining whether\n  systems are compliant or are meeting the IT security goals of the Agency.\n\n  Inconsistent Vulnerability Monitoring Is Not Effective in Identifying All Known,\n  High-Impact Vulnerabilities. Vulnerability scanning is an important aspect of\n  continuous monitoring that can help identify all known, high-impact vulnerabilities\n  within a system\xe2\x80\x99s components. Vulnerability scans can be performed as credentialed or\n  non-credentialed. A credentialed scan uses administrator rights on the target host, while\n  5\n      NASA OIG, \xe2\x80\x9cAudit of NASA\xe2\x80\x99s Efforts to Continuously Monitor Critical Information Technology\n      Security Controls\xe2\x80\x9d (IG-10-019, September 14, 2010).\n\n\n\nREPORT NO. IG-12-006                                                                               iii\n\x0c                                                                                                         OVERVIEW\n\n\n\n     a non-credentialed scan does not. Administrator rights are permissions granted to users\n     allowing them to view installed software and to make changes to computer system\n     configurations. 6\n\n     Our review of 13 NASA systems revealed inconsistent vulnerability monitoring\n     practices. We identified unmonitored systems with multiple high-impact vulnerabilities,\n     monitored systems that still contained multiple high-impact vulnerabilities, and\n     monitored systems with very few high-impact vulnerabilities.\n\n     We requested the Agency\xe2\x80\x99s recent vulnerability scan results for the monitored systems\n     and were provided with non-credentialed scans. We then requested that NASA IT\n     security personnel perform credentialed scans of these same systems, which we observed.\n     These credentialed scans consistently revealed a much larger number of high-impact\n     vulnerabilities than had been identified by the non-credentialed scans. For example,\n     although the credentialed scans were performed on only a small sample of system\n     components, they identified a staggering 2,644 high-impact vulnerabilities compared\n     with 59 high-impact vulnerabilities identified by the non-credentialed scans. These\n     results illustrate that NASA\xe2\x80\x99s current vulnerability monitoring practices capture only a\n     small fraction of the known, high-impact vulnerabilities in NASA\xe2\x80\x99s systems. Further,\n     using only non-credentialed vulnerability scanning practices increases the risk of loss of\n     confidentiality, integrity, and availability of NASA systems, data, and intellectual\n     property.\n\n     In sum, NASA\xe2\x80\x99s move away from a \xe2\x80\x9csnapshot\xe2\x80\x9d approach for certifying the security of its\n     IT systems to a continuous monitoring approach holds the promise of improving NASA\xe2\x80\x99s\n     IT security posture. However, while NASA has made some progress in implementing\n     this new approach, the Agency needs to improve its policies and procedures in several\n     key areas to ensure continuous monitoring will provide adequate protection for the\n     Agency\xe2\x80\x99s IT systems.\n\n     Management Action\n\n     To strengthen existing policies, procedures, and continuous monitoring controls, we\n     recommended that the CIO expedite development of content and metrics for applying\n     secure baseline configuration settings to applicable NASA IT components. In addition,\n     we believe the CIO should institute credentialed vulnerability scanning Agency-wide as\n     part of its continuous monitoring program.\n\n     We also recommended that Associate Administrators for Mission Directorates and Center\n     Chief Information Security Officers take an active role to ensure that baseline security\n     configurations are applied to their respective systems; appropriate personnel establish\n\n\n     6\n         A credentialed scan will identify software installed on a component while a non-credentialed scan will\n         not.\n\n\n\niv                                                                                        REPORT NO. IG-12-006\n\x0cOVERVIEW\n\n\n\n  accounts within ITSEC-EDW; appropriate system data are included in ITSEC-EDW and\n  validated; and systems are routinely undergoing credentialed vulnerability scanning.\n\n  In response to a draft of this report, NASA concurred with our recommendations and\n  proposed corrective actions to address security configuration baselines, credentialed\n  vulnerability scanning, and maintaining an accurate account of security data for all\n  NASA systems components. NASA plans to complete these actions by January 31, 2013.\n  We consider NASA\xe2\x80\x99s planned actions to be responsive to our recommendations, and will\n  close the recommendations upon verification that the actions are complete.\n\n\n\n\nREPORT NO. IG-12-006                                                                      v\n\x0c\x0cDECEMBER 5, 2011\n\n\n\n\n                                                          CONTENTS\n\n  INTRODUCTION\n      Background _________________________________________ 1\n      Objectives __________________________________________ 2\n\n  RESULTS\n      NASA Has Not Transitioned to an Effective Continuous Monitoring\n        Program _________________________________________ 4\n\n  APPENDIX A\n      Scope and Methodology _______________________________ 15\n      Review of Internal Controls ____________________________ 17\n      Prior Coverage ______________________________________ 18\n\n  APPENDIX B\n      Glossary ___________________________________________ 19\n\n  APPENDIX C\n      NASA OCIO Memorandum _____________________________ 22\n\n  APPENDIX D\n      Management Comments ______________________________ 26\n\n  APPENDIX E\n      Report Distribution ___________________________________ 31\n\n\n\n\nREPORT NO. IG-12-006\n\x0c\x0cDECEMBER 5, 2011\n\n\n\n\n                                                                        INTRODUCTION\n\n\nBackground\n\n  As technology has advanced, NASA has become dependent on computerized information\n  systems to carry out daily operations and to process, maintain, and report essential\n  information. NASA\xe2\x80\x99s information technology (IT) networks and systems control\n  spacecraft, collect and process scientific data, and enable NASA personnel to collaborate\n  with colleagues around the world. Users of these systems number in the hundreds of\n  thousands and include NASA personnel, contractors, academia, and the public. Although\n  most NASA IT systems contain data appropriate for wide dissemination, some contain\n  sensitive information that, if stolen or inappropriately released, could result in significant\n  financial loss or adversely affect national security.\n\n  The increasing number of cybersecurity threats facing NASA highlights the significance\n  of ensuring that strong IT security practices are in place at the Agency. In calendar\n  years 2009 and 2010, NASA reported 5,621 cybersecurity incidents that could have\n  resulted in the installation of malicious software on its systems and unauthorized access\n  to sensitive information. These threats continue to evolve in both scope and\n  sophistication, presenting an ongoing challenge to NASA management. Consequently,\n  strong IT security practices are essential to minimize the number and severity of\n  vulnerabilities on NASA\xe2\x80\x99s systems.\n\n  The Federal Information Security Management Act of 2002 (FISMA) requires Federal\n  agencies to annually report the security posture of their information systems. Prior to\n  May 2010, NASA assessed the security posture of its systems using a \xe2\x80\x9csnapshot\xe2\x80\x9d\n  certification and accreditation (C&A) process that assessed security on a periodic\n  schedule and at a fixed point in time. Under this approach, NASA required system\n  owners to reauthorize their systems on a 3-year cycle.\n\n  In May 2010, NASA announced a fundamental shift away from this \xe2\x80\x9csnapshot\xe2\x80\x9d C&A\n  approach to real-time, device-level continuous monitoring. According to the Agency,\n  this shift would enable near real-time risk management and ongoing security\n  authorizations that reflect the true intent of applicable National Institute of Standards and\n  Technology (NIST) guidance. NASA\xe2\x80\x99s new approach emphasizes the importance of\n  continuously monitoring components connected to NASA\xe2\x80\x99s systems and focuses on\n  critical controls that protect against the most common IT security incidents NASA has\n  experienced.\n\n  The initial phases of any continuous monitoring process rely on three elements that are of\n  primary importance to system monitoring: maintaining complete and accurate\n  IT component inventories; implementing effective security configuration management;\n\n\n\nREPORT NO. IG-12-006                                                                               1\n\x0c                                                                                                INTRODUCTION\n\n\n\n    and vulnerability management. As part of its continuous monitoring program, NASA has\n    undertaken the following initiatives:\n\n          \xe2\x80\xa2   Developed the IT Security \xe2\x80\x93 Enterprise Data Warehouse (ITSEC-EDW), an\n              inventory of NASA IT components and security configurations. ITSEC-EDW\n              also includes consolidated patch statistics, vulnerability scan results, hardware\n              and software data, and correlation capabilities.\n\n          \xe2\x80\xa2   Formed the Agency Vulnerability Assessment and Remediation (AVAR) team,\n              which is responsible for the Agency\xe2\x80\x99s vulnerability management project and for\n              Foundstone Enterprise, the Agency\xe2\x80\x99s automated network vulnerability scanning\n              tool, as well as for communication between Foundstone Enterprise and\n              ITSEC-EDW. 7\n\n          \xe2\x80\xa2   Instituted the Agency Security Configuration Standards (ASCS) project that\n              provides assessments, recommendations, processes, and procedures to assist\n              NASA in meeting system security configuration requirements. NASA currently\n              has three sources for its system configuration standards: United States\n              Government Configuration Baseline (USGCB) settings, Federal Desktop Core\n              Configuration (FDCC) settings, and Center for Internet Security (CIS) benchmark\n              settings.\n\n    While these initiatives are appropriate steps to achieving a successful real-time\n    continuous monitoring program, we believe that NASA needs to do more to ensure that\n    its continuous monitoring efforts are based on a solid foundation and have the maximum\n    chance of success.\n\n\nObjectives\n\n    The objective of this audit was to evaluate NASA\xe2\x80\x99s progress in moving from a periodic\n    C&A assessment to continuously monitoring its IT security posture. This report focuses\n    on three areas that we consider key to the successful implementation of the Agency\xe2\x80\x99s\n    overall continuous monitoring program: maintaining accurate IT component inventories;\n    instituting strong security configuration management; and vulnerability management\n    practices.\n\n    To assess the Agency\xe2\x80\x99s progress in these three areas, we examined the extent to which\n    NASA\xe2\x80\x99s ITSEC-EDW captures all relevant IT components; whether mandated\n    configuration settings were being appropriately applied to components; and whether\n    vulnerability monitoring practices were effective for identifying and mitigating known,\n    high-impact vulnerabilities. We also reviewed internal controls related to our overall\n    7\n        Foundstone Enterprise is the commercial off-the-shelf enterprise software solution used when scanning\n        NASA\xe2\x80\x99s networks and systems for vulnerabilities. (McAfee is the manufacturer of Foundstone\n        Enterprise and has recently changed the name of the product to Vulnerability Manager.)\n\n\n\n2                                                                                       REPORT NO. IG-12-006\n\x0cINTRODUCTION\n\n\n\n  objective. We performed our work at four Centers. See Appendix A for details of the\n  audit\xe2\x80\x99s scope and methodology, our review of internal controls, and a list of prior audit\n  coverage. See Appendix B for a glossary of terms used in this report.\n\n\n\n\nREPORT NO. IG-12-006                                                                          3\n\x0c                                                                                                     RESULTS\n\n\n\n\n                     NASA HAS NOT TRANSITIONED TO AN EFFECTIVE\n                              CONTINUOUS MONITORING PROGRAM\n\n           NASA has not yet successfully transitioned from \xe2\x80\x9csnapshot\xe2\x80\x9d C&A processes to a\n           fully implemented continuous monitoring program. In order for the Agency to reach\n           this goal, it needs to (1) create and maintain a complete, up-to-date record of\n           IT components connected to its networks; (2) define the security configuration\n           baselines required for its system components and develop an effective means of\n           assessing compliance with those baselines; and (3) establish best practices for\n           vulnerability management on all Agency IT systems.\n\n\nAgency Continuous Monitoring and Reporting System Data Are\n  Incomplete\n\n    We found that NASA lacks a complete inventory database of IT components currently in\n    use. Without a complete and up-to-date inventory of IT components, the effectiveness of\n    NASA\xe2\x80\x99s continuous monitoring program will be significantly diminished.\n\n    In September 2010, we recommended that NASA\xe2\x80\x99s Chief Information Officer (CIO)\n    require the Centers to implement a process to verify that their vulnerability monitoring\n    includes 100 percent of applicable network devices. NASA agreed and stated it planned\n    to implement a new system, ITSEC-EDW, that would include an Agency-wide database\n    of the IT components connected to NASA\xe2\x80\x99s networks. NASA\xe2\x80\x99s CIO stated that the\n    IT component information in the database would come from network vulnerability scans\n    and NASA\xe2\x80\x99s patch management and reporting system, among other sources.\n\n    ITSEC-EDW retrieves data from multiple Agency and Center data sources to provide a\n    continuously updated record of components connected to NASA\xe2\x80\x99s networks. In NASA\n    Information Technology Requirement (NITR) 2810-24, \xe2\x80\x9cNASA IT Device Vulnerability\n    Management,\xe2\x80\x9d January 28, 2010, NASA mandated that Centers use ITSEC-EDW and\n    required that C&A information on all NASA systems include \xe2\x80\x9can asset inventory listing\n    all IT components associated with the information system.\xe2\x80\x9d This guidance, which\n    expired on May 16, 2011, was subsequently included as part of the IT Security Handbook\n    (ITS-HBK) 2810.07-01, \xe2\x80\x9cConfiguration Management,\xe2\x80\x9d May 6, 2011.\n\n    The policy makes clear the IT security challenge the Agency faces in making the\n    transition to continuous monitoring:\n\n           There are more than 120,000 devices or nodes located at NASA Centers and\n           Facilities, and connected to NASA networks. Each of these nodes can be a potential\n           vector for unauthorized access, virus infection, or some other security incident. The\n           purpose of this policy is to protect each device by defining standard security measures\n           against viruses and other malware, ensuring patches are applied, setting requirements\n\n\n\n4                                                                                     REPORT NO. IG-12-006\n\x0cRESULTS\n\n\n\n            for vulnerability scans, and establishing an inventory of all devices and their security\n            configurations.\n\n  As part of continuously monitoring IT security, NASA officials said they strive to\n  monitor 100 percent of the Agency\xe2\x80\x99s systems and connected components. The first step\n  toward that goal is maintaining a comprehensive record of IT components so that Center\n  Chief Information Security Officers (CISOs) have a real-time awareness of all\n  components connected to their systems. 8 According to the project manager for\n  ITSEC-EDW, the Agency has three ways to ensure that applicable system component\n  information is added to and updated in the database. Two of those ways are automated\n  through the use of software applications that transfer information to ITSEC-EDW. The\n  third way is to input information manually when automation is not technically feasible\n  due to operational constraints. While the Agency envisioned ITSEC-EDW as a\n  comprehensive database to track and report NASA\xe2\x80\x99s IT security posture, we found a\n  significant portion of the components we sampled were not included in ITSEC-EDW and\n  that important information concerning our sampled components was incomplete.\n\n  To assess the accuracy of the ITSEC-EDW, we judgmentally selected a sample of\n  289 connected components from 12 systems across four Centers. 9 We found that 175 of\n  these components (61 percent) were not reflected in the database and that patch agent and\n  vulnerability data for 93 others (32 percent) was incomplete. Moreover, only 21 of the\n  289 components (7 percent) we sampled included both patch agent and vulnerability data.\n  In summary, we found that ITSEC-EDW was not comprehensively or consistently\n  capturing the IT component information, vulnerability information, or security\n  configuration data needed to ensure the successful implementation of continuous\n  monitoring at NASA. A breakdown of the ITSEC-EDW component queries we\n  conducted is shown in Figure 1.\n\n\n\n\n  8\n      The title for NASA\xe2\x80\x99s IT Security Managers changed to Center CISOs in May 2011.\n  9\n      We excluded 1 of the 13 systems originally in our sample because it was not connected to any other\n      Agency network.\n\n\n\nREPORT NO. IG-12-006                                                                                       5\n\x0c                                                                                                RESULTS\n\n\n\n    Figure 1. Results of ITSEC-EDW Queries for 289 System Components to Identify Patch\n    Agent and Vulnerability Data\n\n\n\n\n                                                           No information found for 61% of\n                                                           the sample\n                             7%\n                    14%\n                                                           Vulnerability Data found for only\n                                                           18% of the sample\n              18%                               61%\n\n                                                           Patch Agent found for only 14% of\n                                                           the sample\n\n\n                                                           Patch Agent and Vulnerability Data\n                                                           found for 7% of the sample\n\n\n\n\n    NITR 2810-24 requires system owners to record all IT components in ITSEC-EDW.\n    However, the overwhelming majority of the components we tested were not included in\n    the database. Until the Agency ensures that it has a more comprehensive inventory of the\n    components connected to its systems, the effectiveness of its continuous monitoring\n    program will be significantly diminished.\n\n\nSecurity Configuration Baselines Are Not Available and\n  Continuously Monitored on Many IT Components\n\n    Security configuration baselines are essential for protecting systems and data. Of critical\n    importance is establishing security baseline settings for system components and\n    maintaining those security settings throughout the components\xe2\x80\x99 life cycles. Security\n    configuration baselines include specific settings needed to ensure a system is protected\n    from malicious attacks. These baselines should be established for both hardware and\n    software connected to a NASA system or network, and any changes to the baseline\n    should be monitored and addressed.\n\n    In September 2004, NASA adopted the CIS benchmarks for applying security\n    configuration baselines to many of its operating systems, including Windows, Unix, and\n    various types of Linux. Accordingly, CIS benchmarks are applicable to the desktops,\n    laptops, and servers used by thousands of NASA\xe2\x80\x99s employees and contractors.\n\n\n6                                                                            REPORT NO. IG-12-006\n\x0cRESULTS\n\n\n\n  In February 2008, the Office of Management and Budget (OMB) mandated that Federal\n  agencies apply NIST\xe2\x80\x99s FDCC settings to Windows XP and Vista desktop operating\n  systems. These settings provide Federal agencies with commonly accepted baseline\n  security settings for these operating systems. NASA automatically tracks compliance\n  with FDCC settings on its Windows XP and Vista components and reports compliance\n  status to OMB. However, as previously noted, NASA uses CIS benchmarks for applying\n  security configuration baselines to Unix, Linux, and Windows server operating systems.\n  We found that implementation of CIS benchmarks varies widely from system to system.\n  In addition, NASA has no processes in place to measure and monitor CIS benchmark\n  compliance.\n\n  To examine NASA\xe2\x80\x99s compliance with CIS benchmarks, we used the same sample of\n  12 systems discussed above. We found that 2 systems had obtained waivers from\n  benchmark requirements because both had operational constraints that prevented\n  CIS benchmark application and 1 system was composed of FDCC-compliant\n  components. We selected a sample of components from the remaining 9 systems and\n  used the CIS Configuration Assessment Tool (CAT) to assess their compliance with the\n  benchmarks. We found compliance scores ranging between 36 and 93 percent, indicating\n  configuration settings were not fully compliant with the benchmark standards. Due to the\n  wide variation in these scores, we evaluated the CAT assessment tool itself and found the\n  following limitations:\n\n      \xe2\x80\xa2   CIS benchmark metrics were not developed specifically for NASA and many\n          NASA components have more stringent settings or operational constraints.\n          Consequently, NASA deviates from the benchmark in many cases, and some of\n          the settings that CAT reported as failures are actually more secure than the\n          benchmark. In those instances, modifying the settings to conform to CIS\n          benchmarks would actually have a negative effect on the security of NASA\xe2\x80\x99s\n          operating environment.\n\n      \xe2\x80\xa2   CAT can only be run against one component at a time. Because NASA has more\n          than 120,000 components that need to be monitored for baseline compliance,\n          CAT may not be a viable tool for continuously monitoring NASA\xe2\x80\x99s systems.\n\n  Given these limitations and the need to continuously monitor components throughout\n  their life cycles, it is important that NASA clearly define what baseline configuration\n  settings are appropriate to meet the Agency IT security goals. The wide variance in\n  compliance scores occurred because NASA had not established baseline configuration\n  settings, metrics, and a monitoring capability for all of its operating system environments.\n  Therefore, NASA needs to determine what benchmark settings are appropriate for\n  securing the Agency\xe2\x80\x99s IT assets.\n\n  We also found that even though the CIS benchmark requirement applies to a significant\n  number of components that we reviewed, ITSEC-EDW reports information only on\n  FDCC rather than CIS compliance. Consequently, this can lead to a misconception of\n  NASA\xe2\x80\x99s IT security posture when the Agency reports to OMB through ITSEC-EDW.\n\n\nREPORT NO. IG-12-006                                                                             7\n\x0c                                                                                                        RESULTS\n\n\n\n    For example, of the 1,578 IT components connected to NASA\xe2\x80\x99s systems that we\n    reviewed, only 14 percent (227 components) were required to comply with FDCC and\n    would be included in NASA\xe2\x80\x99s IT security reporting to OMB. Therefore, 86 percent of\n    the components in our review would not be included in the Agency\xe2\x80\x99s reporting\n    (1,039 components with a Unix/Linux operating system, 196 components with a\n    Windows server operating system, and 116 components identified as other shown in\n    Figure 2). 10\n\n    Figure 2. Operating Systems on Components Reviewed\n\n                                    1200\n                                                                               Unix/Linux - 1039\n                                                                               components, 100% CIS\n                                    1000                                       configuration required\n          Number of IT Components\n\n\n\n\n                                    800                                        Windows Server- 196\n                                                                               components, 100% CIS\n                                                                               configuration required\n                                    600\n                                                                               Windows Workstation -227\n                                    400                                        components, 100% FDCC\n                                                                               configuration required\n\n                                    200\n                                                                               Other - 116 components\n\n                                      0\n\n\n\n    Improperly configured operating systems and software applications are a frequent avenue\n    for unauthorized access to NASA\xe2\x80\x99s systems. Without the capability to continuously\n    monitor components for compliance with defined baselines, NASA does not have\n    adequate assurance that its systems are protected against malicious attacks. Conversely,\n    with an effective monitoring and measurement capability, system owners, auditors, and\n    NASA management would have the means to determine whether systems are compliant\n    and are meeting the IT security goals of the Agency.\n\n\n\n\n    10\n         For this portion of our review, we relied on hardware and software documentation provided by the\n         system personnel. The 116 components identified as \xe2\x80\x9cOther\xe2\x80\x9d in Figure 2 had no known configuration\n         benchmark requirement.\n\n\n\n8                                                                                     REPORT NO. IG-12-006\n\x0cRESULTS\n\n\n\nVulnerability Management Is Not Occurring Consistently and Is\n  Not Effective in Identifying All Known, High-Impact\n  Vulnerabilities\n\n  NASA Centers use the McAfee Foundstone Enterprise application to scan their networks\n  for known vulnerabilities. NASA\xe2\x80\x99s AVAR project coordinates vulnerability scanning\n  processes, tools, and licensing for all NASA Centers. Mission Directorate and Center\n  program and project managers are responsible for performing vulnerability scans on local\n  NASA systems to identify high-impact vulnerabilities and for managing the local\n  vulnerability scanners. NASA policy states that scans are to be conducted monthly for all\n  known, high-impact vulnerabilities and that any vulnerabilities identified are to be\n  addressed in a plan of action and milestones. As categorized by the United States\n  Computer Emergency Readiness Team (US-CERT), high-impact vulnerabilities are\n  vulnerabilities such as unpatched software that could pose the most risk to the system and\n  could be the most damaging if exploited.\n\n  Vulnerability scans can be performed as credentialed or non-credentialed. A credentialed\n  scan uses administrator rights on the target host, while a non-credentialed scan does not.\n  Administrator rights are permissions granted to users allowing them to view installed\n  software and to make changes to computer system configurations. Both scanning\n  techniques will produce a report on vulnerabilities with impact ratings of High, Medium,\n  Low, and Informational, but a credentialed scan performs a much more thorough check\n  of the system and produces more accurate results. For example, a credentialed scan will\n  identify vulnerable software installed on a component, while a non-credentialed scan will\n  not.\n\n  Of the 13 systems we selected for review, 7 were located at one Center. Our review of\n  these systems revealed that 2 of the systems had not been undergoing continuous\n  monitoring for high-impact vulnerabilities. Moreover, when we performed credentialed\n  scans on the Center\xe2\x80\x99s systems rather than relying on the non-credentialed scans Center\n  personnel had been performing, we identified a large number of high-impact\n  vulnerabilities. This finding questions the efficacy of NASA\xe2\x80\x99s processes for identifying\n  systems that should be subject to vulnerability management and the effectiveness of its\n  vulnerability scanning.\n\n  While some systems we reviewed showed a stronger security posture than others, we did\n  not find consistent practices in place across Centers. For example, one Center used\n  credentialed scanning as part of the vulnerability monitoring process for one of its\n  systems, and we found very few high-impact vulnerabilities for that system. Local\n  personnel stated that transitioning from non-credentialed to credentialed scanning\n  achieved notable results over a short period of time and that reportable security incidents\n  had been significantly reduced.\n\n  We directed NASA personnel to perform credentialed scans on a small sample of system\n  components and observed these scans. We compared the results of those scans with past,\n\n\nREPORT NO. IG-12-006                                                                            9\n\x0c                                                                                                                RESULTS\n\n\n\n     non-credentialed scans performed by the Agency. As shown in Figure 3, although the\n     credentialed scans were performed on only a small sample of system components, they\n     identified 2,644 high-impact vulnerabilities compared with the 59 high-impact\n     vulnerabilities identified by the non-credentialed scans.\n\n     Figure 3. Vulnerabilities Found by Credentialed Versus Non-Credentialed\n     Scans\n\n\n                                     3,000                                2,871\n                                                   2,644\n         Number of Vulnerabilities\n\n\n\n\n                                     2,700\n                                     2,400\n                                     2,100\n                                     1,800\n                                     1,500                                                Non-credentialed\n                                     1,200\n                                                                                          Credentialed\n                                       900\n                                       600\n                                       300    59                    76\n                                         0\n                                             High Impact         Medium Impact\n\n                           Note: Results shown are from credentialed scans performed on small samples\n                           of system components and non-credentialed scans conducted on entire systems.\n\n     While we did not assess whether the identified vulnerabilities were exploitable, these\n     results indicate that NASA\xe2\x80\x99s current vulnerability monitoring practices capture only a\n     small fraction of the known, potentially high-impact vulnerabilities that reside in the\n     Agency\xe2\x80\x99s systems.\n\n\n     NASA officials said using credential versus non-credentialed scans in a widely\n     distributed environment is difficult due to the large numbers of credentials that must be\n     managed. However, these unmitigated vulnerabilities increase the risk for loss of\n     NASA\xe2\x80\x99s systems, data, and intellectual property. By decreasing the number of\n     high-impact vulnerabilities and misconfigured components, NASA can reduce the\n     avenues for cyber attacks, the number of actual attacks, and the resources needed to\n     respond to those attacks. Therefore, in order for NASA to ensure that its continuous\n     monitoring program is effective, the Agency needs to ensure that credentialed scanning is\n     consistently used on all systems.\n\n\nConclusion\n\n     We found that NASA faces significant challenges in transitioning to a continuous\n     monitoring process for its IT systems and related components. Until NASA (1) develops\n\n\n10                                                                                                  REPORT NO. IG-12-006\n\x0cRESULTS\n\n\n\n  and maintains a complete record of IT components; (2) ensures that security\n  configuration baselines are available, applied, and monitored for all applicable\n  components; and (3) develops consistent credentialed vulnerability scanning processes\n  for use Agency-wide, NASA cannot effectively transition from a system of isolated\n  reviews to an enterprise-wide continuous monitoring program.\n\n\nRecommendations, Management\xe2\x80\x99s Response, and Evaluation of\n  Management\xe2\x80\x99s Response\n\nTo strengthen existing policies, procedures, and continuous monitoring controls, we made\nthe following recommendations.\n\nRecommendation 1. The Chief Information Officer should\n\n      a. expedite development of content, metrics, and a monitoring capability for\n         applying secure baseline configuration settings to applicable NASA IT\n         components using NASA\xe2\x80\x99s most common attack vectors as a guide for\n         prioritization, beginning with Windows server operating systems and their\n         respective functionality (e.g., web server and file server).\n\n      b. institute credentialed vulnerability scanning Agency-wide as part of its continuous\n         monitoring program. Specifically,\n\n             (1) develop and disseminate to all affected personnel detailed operating\n                 procedures for credentialed vulnerability scanning;\n\n             (2) develop schedules for performing credentialed vulnerability scans; and\n\n             (3) require credentialed scans Agency-wide as part of its continuous\n                 monitoring program.\n\n      c. verify that the security baselines are applied and that credentialed scans are being\n         performed as directed.\n\n  Management\xe2\x80\x99s Response. NASA concurred with our recommendation, noting that\n  applying and measuring security configuration baselines can improve the Agency\xe2\x80\x99s\n  overall IT security posture. NASA tasked its Agency Security Configuration (ASCS)\n  program to develop and manage security configuration baselines and measurement\n  content for all applicable NASA IT components. In addition, NASA officials said they\n  are developing a Windows Server 2008 security configuration baseline and plan to begin\n  measuring compliance with this baseline on March 31, 2012. NASA also agrees that\n  credentialed vulnerability scanning allows for improved awareness of system\n  vulnerabilities. Accordingly, NASA said it plans to update its guidance to include a\n  requirement for performing credentialed vulnerability scanning that will include detailed\n  operating procedures. Finally, NASA plans to propose establishment of a compliance\n\n\nREPORT NO. IG-12-006                                                                            11\n\x0c                                                                                        RESULTS\n\n\n\n     verification capability within the NASA OCIO. NASA expects to complete all of these\n     corrective actions by November 30, 2012.\n\n     Evaluation of Management\xe2\x80\x99s Response. NASA\xe2\x80\x99s planned corrective actions are\n     responsive to our recommendations. We will close the recommendations upon verifying\n     that NASA has completed these actions.\n\nRecommendation 2. Associate Administrators for Mission Directorates and Center Chief\nInformation Security Officers should ensure that\n\n        a. OCIO-developed baseline security configurations are applied to their systems;\n           until these baselines settings are made available, ensure the appropriate CIS\n           benchmarks are applied to their system components and deviations from the\n           benchmarks are documented.\n\n        b. all system owners establish accounts within ITSEC-EDW and follow procedures\n           set forth in NASA policies as they relate to ITSEC-EDW, vulnerability\n           monitoring, and configuration security baselines.\n\n        c. appropriate system data are included in ITSEC-EDW and validated on a\n           semiannual schedule.\n\n        d. systems undergo credentialed vulnerability scanning and data are integrated into\n           ITSEC-EDW.\n\n     Management\xe2\x80\x99s Response. NASA concurred with our recommendation, stating that it is\n     taking steps to ensure appropriate security baselines and benchmarks are applied to\n     applicable Mission and Center IT components and that any deviations from the standards\n     are documented. Additionally, NASA is deploying an enterprise-wide patch management\n     and reporting tool for use by Mission Directorates and Centers. In cases where this tool\n     will not be used, systems personnel will maintain documented justification in the form of\n     an approved IT security waiver. In addition, Center CISOs and Mission Directorate\n     Associate Administrators agree that by March 31, 2012, responsible parties will have\n     accounts in and familiarize themselves with the functionality of ITSEC-EDW, and by\n     June 30, 2012, will include the appropriate system information in ITSEC-EDW and\n     coordinate with OCIO on developing a process for validating that data semiannually.\n     NASA also stated that Centers and Mission Directorates have already begun utilizing\n     credentialed scans and that OCIO plans to implement credentialed scanning on all\n     systems that are capable of supporting unique scanning techniques by March 31, 2012.\n     Finally, NASA plans to have vulnerability data from all Center and Mission Directorate\n     systems that are scanned using McAfee Vulnerability Manager integrated into ITSEC-\n     EDW by January 31, 2013. Vulnerability data from NASA systems being scanned with\n     other tools will be integrated into ITSEC-EDW as soon as possible.\n\n\n\n\n12                                                                        REPORT NO. IG-12-006\n\x0cRESULTS\n\n\n\n  Evaluation of Management\xe2\x80\x99s Response. NASA\xe2\x80\x99s planned corrective actions are\n  responsive to our recommendations. We will close the recommendations upon verifying\n  that NASA has completed these actions.\n\n\n\n\nREPORT NO. IG-12-006                                                                    13\n\x0c\x0cAPPENDIXES\n\n\n\n\n                                                                         APPENDIX A\n\n\nScope and Methodology\n\n  We performed this audit from January through October 2011 in accordance with\n  generally accepted government auditing standards. Those standards require that we plan\n  and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\n  basis for our findings and conclusions based on our audit objectives. We believe that the\n  evidence obtained provides a reasonable basis for our findings and conclusions based on\n  our audit objectives.\n\n  We assessed NASA\xe2\x80\x99s progress in shifting toward a continuous monitoring approach to\n  IT security by focusing on processes in place at four NASA Centers for three key\n  elements: record of IT components, configuration management, and vulnerability\n  monitoring. NIST Special Publication (SP) 800-53, Revision 3, \xe2\x80\x9cRecommended Security\n  Controls for Federal Information Systems and Organizations,\xe2\x80\x9d August 2009, defines\n  requirements for control monitoring. In addition to NIST SP 800-53 and the OCIO\xe2\x80\x99s\n  May 18, 2010, memorandum (Appendix C), we reviewed the following Federal and\n  Agency criteria, policies, and procedures:\n\n      \xe2\x80\xa2   NIST SP 800-37, Revision 1, \xe2\x80\x9cGuide for Applying the Risk Management\n          Framework to Federal Information Systems: A Security Life Cycle Approach,\xe2\x80\x9d\n          February 2010\n\n      \xe2\x80\xa2   NIST SP 800-40, Version 2.0, \xe2\x80\x9cCreating a Patch and Vulnerability Management\n          Program,\xe2\x80\x9d November 2005\n\n      \xe2\x80\xa2   NIST SP 800-128 (Initial Public Draft), \xe2\x80\x9cGuide for Security Configuration\n          Management of Information Systems,\xe2\x80\x9d March 2010\n\n      \xe2\x80\xa2   NIST SP 800-137 (Initial Public Draft), \xe2\x80\x9cInformation Security Continuous\n          Monitoring for Federal Information Systems and Organizations,\xe2\x80\x9d December 2010\n\n      \xe2\x80\xa2   Federal Information Processing Standards (FIPS) Publication 199, \xe2\x80\x9cStandards for\n          Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d\n          February 2004\n\n      \xe2\x80\xa2   NASA Procedural Requirements (NPR) 2810.1A, \xe2\x80\x9cSecurity of Information\n          Technology (Revalidated with Change 1, May 19, 2011)\xe2\x80\x9d\n\n      \xe2\x80\xa2   NITR 2810-12, \xe2\x80\x9cContinuous Monitoring,\xe2\x80\x9d May 18, 2008 (expired May 18, 2011)\n\n\n\n\nREPORT NO. IG-12-006                                                                          15\n\x0c                                                                                     APPENDIX A\n\n\n\n        \xe2\x80\xa2   NITR 2810-24, \xe2\x80\x9cNASA IT Device Vulnerability Management,\xe2\x80\x9d January 28, 2010\n            (expired May 16, 2011)\n\n        \xe2\x80\xa2   IT Security Handbook (ITS-HBK) 2810.02-04, \xe2\x80\x9cSecurity Assessment and\n            Authorization: Continuous Monitoring \xe2\x80\x93 Annual Security Control Assessments,\xe2\x80\x9d\n            November 10, 2010\n\n        \xe2\x80\xa2   ITS-HBK 2810.07-01, \xe2\x80\x9cConfiguration Management,\xe2\x80\x9d May 2011\n\n        \xe2\x80\xa2   NASA OCIO Memorandum, \xe2\x80\x9cCenter for Internet Security (CIS) Consensus\n            Benchmarks,\xe2\x80\x9d September 2, 2004\n\n        \xe2\x80\xa2   NASA OCIO Memorandum, \xe2\x80\x9cImplementation of Center for Internet\n            Security (CIS) Benchmarks,\xe2\x80\x9d June 29, 2005\n\n        \xe2\x80\xa2   NASA OCIO Memorandum, \xe2\x80\x9cFY [Fiscal Year] 2007 and FY 2008 Patch\n            Management and Security Configuration Metrics,\xe2\x80\x9d April 4, 2007\n\n        \xe2\x80\xa2   NASA OCIO Memorandum, \xe2\x80\x9cAgency Security Configuration Standards: Federal\n            Desktop Core Configurations,\xe2\x80\x9d November 15, 2007\n\n        \xe2\x80\xa2   NASA OCIO Memorandum, \xe2\x80\x9cSupplemental FY08 Guidance for Agency Security\n            Configurations Standards and FDCC Reporting,\xe2\x80\x9d February 20, 2008\n\n        \xe2\x80\xa2   NASA OCIO Memorandum, \xe2\x80\x9cFY 2009 Scanning and Vulnerability Elimination or\n            Mitigation,\xe2\x80\x9d February 6, 2009\n\n        \xe2\x80\xa2   NASA OCIO Memorandum, \xe2\x80\x9cFiscal Year 2011 (FY11) Continuous Monitoring\n            and Reauthorization Activities,\xe2\x80\x9d January 11, 2011\n\n        \xe2\x80\xa2   Johnson Space Center Chief Information Officer Memorandum, \xe2\x80\x9c[Johnson Space\n            Center\xe2\x80\x99s] FY11 Strategy for Vulnerability Scanning and Risk Mitigation,\xe2\x80\x9d\n            January 21, 2011\n\n     We reviewed NASA policies and procedures to determine the roles, responsibilities, and\n     procedures for including system components in ITSEC-EDW, applying configuration\n     settings to system components, and vulnerability monitoring of NASA systems.\n\n     We interviewed system owners, system administrators, organization computer security\n     Officials, and the Center IT Security Managers (now called CISOs) at the Centers we\n     visited, as well as OCIO personnel, including AVAR project personnel, the Emerging\n     Technology and Desktop Standards project manager, and the ASCS technical lead. We\n     interviewed key personnel at the project and system level to determine their awareness of\n     NASA guidance and the procedures that they follow for ensuring their components are\n     included in ITSEC-EDW. To evaluate the comprehensiveness and accuracy of\n     ITSEC-EDW, we compared the results of queries to that database with the results of our\n\n\n16                                                                        REPORT NO. IG-12-006\n\x0cAPPENDIX A\n\n\n\n  review. We also discussed ITSEC-EDW functionality with the Agency Security Update\n  Service project manager.\n\n  We evaluated processes and tools used at the Centers to monitor and report\n  IT components, to maintain system and component configurations, and to detect and\n  remediate vulnerabilities.\n\n  We judgmentally selected 13 systems to review from an Agency-wide, non-national\n  security system inventory list maintained by the OCIO. As of November 2010, the\n  inventory list identified 550 internal systems and 43 external (contractor) systems. We\n  did not verify the accuracy of this list. We limited our selection to high- and moderate-\n  impact systems at the four Centers visited. Of the 13 systems originally selected, we\n  excluded 1 from our review because it was not connected to any other Agency network.\n\n  For each system that we reviewed, we assessed whether component samples reflected\n  appropriate baseline security configurations, reviewed configuration documentation, and\n  observed credentialed scans for vulnerabilities. We also judgmentally selected a sample\n  of components connected to each system to query for information in ITSEC-EDW. We\n  compared the results of the queries to data collected in configuration assessments and\n  vulnerability scans.\n\n  Computer-Processed Data. We relied on data produced by a commercial software\n  program to perform configuration tests on NASA\xe2\x80\x99s computer servers. Specifically, we\n  used the CIS CAT to assess computer server operating system compliance with the\n  applicable CIS benchmarks. We did not validate the data produced by the CIS CAT\n  because this tool is widely accepted as a reliable source for providing information on\n  operating system configuration settings. However, due to the wide variance in\n  compliance scores, we evaluated the tool and found limitations, as discussed in the report.\n\n  We directed and observed the use of McAfee Foundstone Enterprise, a commercial\n  vulnerability scanner, to test system components for technical vulnerabilities. We did not\n  validate the data produced by Foundstone Enterprise because it is widely accepted as a\n  reliable source for providing information related to the presence of technical\n  vulnerabilities in information systems.\n\n\nReview of Internal Controls\n\n  We identified and evaluated the effectiveness of internal controls in place to manage\n  configurations and continuously monitor systems and components. The control\n  weaknesses we identified are discussed in the Results section of this report. Our\n  recommendations, if implemented, will help to correct the identified control weaknesses.\n\n\n\n\nREPORT NO. IG-12-006                                                                            17\n\x0c                                                                                  APPENDIX A\n\n\n\nPrior Coverage\n\n     During the last 5 years, the NASA Office of Inspector General (OIG) and the\n     Government Accountability Office (GAO) have issued three reports of particular\n     relevance to the subject of this report. Unrestricted reports can be accessed over the\n     Internet at http://oig.nasa.gov/audits/reports/FY11 (NASA OIG) and http://www.gao.gov\n     (GAO).\n\n     NASA Office of Inspector General\n\n     \xe2\x80\x9cFederal Information Security Management Act: Fiscal Year 2010 Report from the\n     Office of Inspector General\xe2\x80\x9d (IG-11-005, November 10, 2010)\n\n     \xe2\x80\x9cAudit of NASA\xe2\x80\x99s Efforts to Continuously Monitor Critical Information Technology\n     Security Controls\xe2\x80\x9d (IG-10-019, September 14, 2010)\n\n     Government Accountability Office\n\n     \xe2\x80\x9cInformation Security: NASA Needs to Remedy Vulnerabilities in Key Networks\xe2\x80\x9d\n     (GAO-10-4, October 15, 2009)\n\n\n\n\n18                                                                      REPORT NO. IG-12-006\n\x0cAPPENDIX B\n\n\n\n\n                                                                           GLOSSARY\n\n  Center Chief Information Security Officer (CISO): CISOs serve as advisors to the\n  Senior Agency Information Security Officer, Center CIO, and senior Center officials on\n  matters pertaining to information security. This role was previously referred to as the\n  Information Technology Security Manager.\n\n  Center for Internet Security (CIS): The CIS is a not-for-profit organization that serves\n  as a central resource to improve cybersecurity posture. The CIS Security Benchmarks\n  division improves organizations\xe2\x80\x99 security posture by helping reduce the risk of\n  inadequate technical security controls.\n\n  Certification and Accreditation (C&A): Certification is the comprehensive evaluation\n  of security features of a system, made in support of the accreditation process, that\n  establishes the extent to which a particular design and implementation meet a specified\n  set of security requirements. Accreditation is the process by which certification is\n  reviewed and a formal declaration made that a system is approved to operate.\n\n  Configuration Baseline Settings: Security baseline configurations should conform to\n  applicable Federal requirements (e.g., FDCC and USGCB). USGCB security\n  configuration checklists (for Windows XP, Windows Vista, and Internet Explorer 7)\n  support the FDCC policy, and the USGCB checklists address a wide variety of security\n  and non-security settings that are largely based on the recommendations of product\n  vendors but customized to meet Federal requirements. The USGCB checklists are\n  referred to as baselines because they define minimum sets of configurations that must be\n  implemented.\n\n  Continuous Monitoring: Information security continuous monitoring is defined as\n  maintaining ongoing awareness of information security, vulnerabilities, and threats to\n  support organizational risk management decisions. The objective is to conduct ongoing\n  monitoring of the security of an organization\xe2\x80\x99s networks, information, and systems, and\n  respond by accepting, avoiding/rejecting, transferring/sharing, or mitigating risk as\n  situations change.\n\n  Credentialed Vulnerability Scans: A scanning engine uses credentials to login to the\n  system to enumerate services, applications, and patches. The information obtained by\n  using credentials during a vulnerability scan allows administrators to perform a more\n  comprehensive assessment of the security posture of their system, verify the performance\n  of their patching mechanisms, check service configurations, and discover erroneously or\n  maliciously installed services.\n\n\n\n\nREPORT NO. IG-12-006                                                                         19\n\x0c                                                                                           APPENDIX B\n\n\n\n     Federal Desktop Core Configuration (FDCC): FDCC is a security configuration\n     mandated by OMB. FDCC currently exists for Microsoft Windows XP and Vista\n     operating system software.\n\n     Foundstone Enterprise: See McAfee Vulnerability Manager.\n\n     Incident: Any adverse event or situation associated with a system that poses a threat to\n     the system\xe2\x80\x99s integrity, availability, or confidentiality.\n\n     Information Technology (IT): The term \xe2\x80\x9cinformation technology\xe2\x80\x9d means any\n     equipment or interconnected system or subsystem of equipment that is used in the\n     automatic acquisition, storage, manipulation, management, movement, control, display,\n     switching, interchange, transmission or reception of data or information.\n\n     Information Technology Security \xe2\x80\x93 Enterprise Data Warehouse (ITSEC-EDW):\n     ITSEC-EDW is intended to serve as an automated data warehouse providing an inventory\n     of NASA IT components and related security information. It will include consolidated\n     patch statistics, vulnerability scan results and hardware and software identification data.\n\n     Linux: Unix-like operating system that was designed to provide personal computer users\n     a free or very low-cost operating system comparable to traditional and usually more\n     expensive Unix systems. Linux has a reputation as a very efficient and fast-performing\n     system.\n\n     Malware: Also known as malicious code and malicious software, refers to a program\n     that is inserted into a system, usually covertly, with the intent of compromising the\n     confidentiality, integrity, or availability of the victim\xe2\x80\x99s data, applications, or operating\n     system or otherwise annoying or disrupting the victim.\n\n     McAfee Vulnerability Manager: Formerly known as Foundstone Enterprise, the\n     McAfee Vulnerability Manager finds and prioritizes vulnerabilities and policy violations\n     on a network.\n\n     Patch: An additional piece of code developed to address a problem in an existing piece\n     of software.\n\n     Patch Agent: A commercially available automated inventory management tool that\n     monitors changes in the computer\xe2\x80\x99s configuration and reports to a central database,\n     thereby providing the patch and vulnerability group and management a picture of a\n     system\xe2\x80\x99s IT resources.\n\n     Patch Management: The process of acquiring, testing, and distributing patches to the\n     appropriate administrators and users throughout the organization.\n\n     Risk Management: The process of managing risks to agency operations (including\n     mission, functions, image, or reputation), agency assets, or individuals resulting from the\n\n\n\n20                                                                             REPORT NO. IG-12-006\n\x0cAPPENDIX B\n\n\n\n  operation of an information system. It includes risk assessment; cost-benefit analysis; the\n  selection, implementation, and assessment of security controls; and the formal approval\n  to operate the system. The process considers effectiveness, efficiency, and constraints\n  due to laws, directives, policies, and regulations.\n\n  Security Authorization: The official management decision given by a senior\n  organizational official to authorize operation of an information system and to explicitly\n  accept the risk to organizational operations and assets, individuals, other organizations,\n  and the Nation based on the implementation of an agreed-upon set of security controls.\n\n  Security Controls: The management, operational, and technical controls (e.g.,\n  safeguards or countermeasures) prescribed for an information system to protect the\n  confidentiality, integrity, and availability of the system and its information.\n\n  Security Posture: The overall state of an information system\xe2\x80\x99s confidentiality, integrity,\n  and availability in the face of an ever-changing risk landscape.\n\n  Unix: Unix is a multi-user environment that has been implemented on a variety of\n  platforms. With the exception of Microsoft Windows, all current major operating\n  systems have some kind of Unix at their cores. Unix is not so much a single operating\n  system as it is a standard upon which organizations and companies base their own\n  systems.\n\n  Virus: A program designed with malicious intent that has the ability to spread to\n  multiple computers or programs. Most viruses have a trigger mechanism that defines the\n  conditions under which it will spread and deliver a malicious payload of some type.\n\n  Vulnerability: A flaw or weakness in system security procedures, design,\n  implementation, or internal controls that could be exercised (accidentally triggered or\n  intentionally exploited) and result in a security breach or a violation of the system\xe2\x80\x99s\n  security policy.\n\n  Vulnerability Management: The process of managing the weakness in an information\n  system, system security procedures, internal controls, or implementation that could be\n  exploited or triggered by a threat source.\n\n  Vulnerability Scanning: An assessment technique used to identify hosts/host attributes\n  and associated vulnerabilities.\n\n\n\n\nREPORT NO. IG-12-006                                                                            21\n\x0c                        APPENDIX C\n\n\n\n\n     NASA OCIO MEMORANDUM\n\n\n\n\n22             REPORT NO. IG-12-006\n\x0cAPPENDIX C\n\n\n\n\nREPORT NO. IG-12-006   23\n\x0c              APPENDIX C\n\n\n\n\n24   REPORT NO. IG-12-006\n\x0cAPPENDIX C\n\n\n\n\nREPORT NO. IG-12-006   25\n\x0c                       APPENDIX D\n\n\n\n\n     MANAGEMENT COMMENTS\n\n\n\n\n26            REPORT NO. IG-12-006\n\x0cAPPENDIX D\n\n\n\n\nREPORT NO. IG-12-006   27\n\x0c              APPENDIX D\n\n\n\n\n28   REPORT NO. IG-12-006\n\x0cAPPENDIX D\n\n\n\n\nREPORT NO. IG-12-006   29\n\x0c              APPENDIX D\n\n\n\n\n30   REPORT NO. IG-12-006\n\x0cAPPENDIX E\n\n\n\n\n                                                    REPORT DISTRIBUTION\n\nNational Aeronautics and Space Administration\n\n  Administrator\n  Deputy Administrator\n  Chief of Staff\n  Chief Information Officer\n  Associate Administrator for Aeronautics Research\n  Associate Administrator for Exploration Systems\n  Associate Administrator for Science\n  Associate Administrator for Space Operations\n  NASA Advisory Council\xe2\x80\x99s Audit, Finance, and Analysis Committee\n  Director, Ames Research Center\n  Director, Dryden Flight Research Center\n  Director, Glenn Research Center\n  Director, Goddard\n     Manager, White Sands Test Facility\n  Director, Jet Propulsion Laboratory\n  Director, Johnson Space Center\n  Director, Kennedy Space Center\n  Director, Langley Research Center\n  Director, Marshall Space Flight Center\n  Director, Stennis Space Center\n  Executive Director, NASA Shared Services Center\n\nNon-NASA Organizations and Individuals\n\n  Office of Management and Budget\n     Deputy Associate Director, Energy and Science Division\n         Branch Chief, Science and Space Programs Branch\n  Government Accountability Office\n     Director, NASA Financial Management, Office of Financial Management and\n        Assurance\n     Director, NASA Issues, Office of Acquisition and Sourcing Management\n\n\n\n\nREPORT NO. IG-12-006                                                           31\n\x0c                                                                              APPENDIX E\n\n\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Member\n\n     Senate Committee on Appropriations\n        Subcommittee on Commerce, Justice, Science, and Related Agencies\n     Senate Committee on Commerce, Science, and Transportation\n        Subcommittee on Science and Space\n     Senate Committee on Homeland Security and Governmental Affairs\n     House Committee on Appropriations\n        Subcommittee on Commerce, Justice, Science, and Related Agencies\n     House Committee on Oversight and Government Reform\n        Subcommittee on Government Organization, Efficiency, and Financial Management\n     House Committee on Science, Space, and Technology\n        Subcommittee on Investigations and Oversight\n        Subcommittee on Space and Aeronautics\n\n\n\n\n32                                                                  REPORT NO. IG-12-006\n\x0cMajor Contributors to the Report:\n   Wen Song, Director, Information Technology Directorate\n   Vincent Small, Project Manager\n   Chris Reeves, Audit Lead\n   Bessie Cox, Auditor\n   Bret Skalsky, Auditor\n\n\n\n\nREPORT NO. IG-12-006                                        33\n\x0c                                                                                    DECEMBER 5, 2011\n                                                                        REPORT No. IG-12-006\n\n\n\n\n                                                                                 OFFICE OF AUDITS\n\n                                                                 OFFICE OF INSPECTOR GENERAL\n\n\n\n\nADDITIONAL COPIES\nVisit http://oig.nasa.gov/audits/reports/FY12/ to obtain additional copies of this report, or contact the\nAssistant Inspector General for Audits at 202-358-1232.\n\nCOMMENTS ON THIS REPORT\nIn order to help us improve the quality of our products, if you wish to comment on the quality or\nusefulness of this report, please send your comments to Mr. Laurence Hawkins, Audit Operations and\nQuality Assurance Director, at Laurence.B.Hawkins@nasa.gov or call 202-358-1543.\n\nSUGGESTIONS FOR FUTURE AUDITS\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for Audits.\nIdeas and requests can also be mailed to:\n      Assistant Inspector General for Audits\n      NASA Headquarters\n      Washington, DC 20546-0001\n\nNASA HOTLINE\nTo report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at 800-424-9183 or\n800-535-8134 (TDD). You may also write to the NASA Inspector General, P.O. Box 23089, L\xe2\x80\x99Enfant\nPlaza Station, Washington, DC 20026, or use http://oig.nasa.gov/hotline.html#form. The identity of\neach writer and caller can be kept confidential, upon request, to the extent permitted by law.\n\x0c'